WP3: Policy framework
This WP will deal with the formalisation and management of privacy and security policies, starting from the codification of regulatory principles and requirements into high-level concepts and policies, referred to as the “compliance ontology”. The policies will be refined into sophisticated and fine-grained access and usage control rules. WP3 will in this context produce all necessary tools for policies specification and management, advanced knowledge extraction and reasoning for taking decisions on data handling and operational control.
Role of participants
ABOVO is leading this WP, contributing to all tasks. It also leads T3.2 targeting the specification and development of the process-oriented and privacy-aware rule-based access and usage control model. BAK will lead the codification of regulatory requirements into the Compliance Ontology (T3.1) with the support of HDPA. SLG will provide significant technical contributions in this WP especially with regards to reasoning
Objectives
Starting from the thorough analysis of the Regulation, as well as other related acts, this work package will develop a framework able to capture and formally express the underlying requirements, in terms of sophisticated security and privacy policies. Operationally, the role of the policy framework will be twofold: first, it will serve as the base for privacy-aware access and usage control, providing for attribute-based data collection and overall handling, and managing all associated constraints, including retention periods, separation and binding of duty, and the application of protection measures; second, it will have a process orientation, in the sense of being aligned to the operational needs of organisations, and be the ground for Regulation-aware process (re-)engineering. Overall, the main objectives of WP3 are the following:
- High-level codification of GDPR by means of a Compliance Ontology.
- Specification and development of a rule-based policy framework devised for access and usage control.
- Knowledge extraction and reasoning upon access and usage control rules.